Palo Alto EDU-110: URL Filtering

Objectives:

Describe how the firewall uses PAN-DB database to filter user access to websites

Configure a custom URL filtering profile to mimimise the number of blocked websites between trusted zones

Configure safe search and logging options

Configure access to only enterprise versions of SaaS applications

The URL Filtering Feature

Palo Alto networks maintns a PAN-DB URL filtering database that groups websites into categories.

If a Palo Alto networks firewall has a valid licence it can use this PAN-DB database to filter user access to websites.

PAN-DB groups similar URLs into categories, for example a group of urls may come under a category of ‘internet-portal’ which would block the likes of Yahoo if the administrator chooses to deny access to it.

An administrator can also create their own URL categories with a match criteria in firewall policies, even if the firewall does not have a URL filtering licence.

URL filtering can be used in Authentication, Decryption, QoS and Security Policies

The initial cache database of URLs is created from a seed database file from a PAN-DB cloud server.

The cache size is dependant on the firewall model, but can range from a few hundred thousand to a few million unique URLs

This cache is backed up to disk every eight hours, and after the firewall is rebooted by the administrator.

Cached entries expire based on timeouts included in the database for each URL, these are not configurable by the administrator.

If the URL is not found from within the cache, the firewall will contact the PAN-DB cloud servers for the loopup. The firewall will cache these URLs to speed up future lookup attempts.

Nightly updates of URL filtering are not required due to this on demand nature of URL filtering.

URL filtering can be applied to SSL encrypted traffic even if traffic is not decrypted. The URL category can be matched to a scurity policy rule as the URL information will be seen in clear text.

App-ID will classify this data stream as SSL too.

URL Category: Policy compared to Profile

If a URL Category is configured as part of a policy:

  • Used as a match condition
  • URLs are matched to a predefined or custom URL
  • Actions are determined in the policy rule
  • URL category name is logged in the URL filtering log

If a URL category is configured as part of a Security Profile:

  • Applied to traffic allowed by security policy
  • URLs are matched to block or allow lists, predefined or custom URL categories
  • Action more granulary configured for individual or URL categories
  • URL details are logged in the URL filtering log

URL Filtering Log

Access of a URL that matches a URL or URL category configured with alert, block, continue, or override actions will result in an entry in the URL filtering log,

The actions that require user interaction, the continue or override options, the firewall logs the initial blocking action and the succesful user action.

If the user clicks continue on a prompted page, the firewall will add block-continue and continue log entries

URL Filtering Security Profile

The Palo Alto firewall contains a pre-defined read only default URL filtering profile.

The default profile can not be modified or deleted.

To modify or adjust options, the default profile can be cloned or a new URL filtering profile can be created altogether.

URL filtering profile allows the administrator to control and monitor how users access the web over HTTP or HTTPS

The default profile is configured to block websites such as known malware sites, phishing sites, and adult content sites.

Between trust zones, the number of blocked websites could be less than what is between untrusted zones.

Remember, in a zero trust setup, no zone is completly trusted!

Multi-category and risk based url filtering

PAN-DB can assign multiple categories to websites, categories are based on how risky the website is, it’s content and purpose.

The security related categories are:

  • high-risk
  • medium-risk
  • low-risk
  • new-registered domain

Websites in the newly registered doamin category are domains which were created in the last 32 days.

The three levels of high, medium, and low risk indicate the level of suspicious activity detected on the website, but has not yet been confirmed as a malware or phishing site.

When a security policy is created based on a security related category, the firewall enforces the risky sties regardless of the website content or function.

For multicategory and risk based URL filtering, the firewall needs to connect to the beta PAN-DB server

URL Filtering Response Pages

HTML block pages have a size limit of 16 kilobytes.

They are displayed in a users browser when they attempt to access a URL or URL category with a configured action of ‘block’, ‘continue’, or ‘override’.

Each page will include the users IP address, the URL they are trying to access, and the URL category.

The users IP address is replaced with their username if User-ID technology is enabled.

If a user succesfully uses the continue or override response page, they have access to that overriden category for 15 minutes, and is not presented the response page again.

The override duration can be adjusted at Device -> Setup -> Content-ID -> URL Filtering

The override password is set at Device -> Setup -> Content ID -> URL Admin Override

URL filtering reponse pages in a layer 3 enviroment require the configuration of a layer 3 interface on the firewall, with an interface management profile configured to allow response pages.

Response pages can also work in a virtual wire configuration.

Safe Search and Logging Options

Safe search is a best-effort setting in web browsers that is used to prevent sexually explict content from appearing within search results.

It is the search provider and not Palo Alto that determines what is explict. The capability of the firewall ensuring that safe search is selected is provided with weekly application and threats content updates.

Safe Search enforcement if enabled prevents users who use google, yahoo, bing, yandex or youtube from viewing search results unless their browser is configured with the strict safe search option.

Users will see a URL filtering block page in their browsers if this feature is enabled.

If SSL is in use, decryption must be activated to enforce safe seraching.

If the log container page option is enabled, only the URL of the main container page is logged, and not the URLs of subsequent pages that might be included within the container page. URL filtering generates many log entries, so this option is recommended to be aenabled.

A HTTP request header might include the attribute-value pairs user-agent, referer, or x-forwarded-for. These attribute value pairs can be logged by enabling their corresponding options in the URL filtering tab. Enabling these supports the analysis of indications of compromise.

Configure Credential Phishing Prevention Method

Palo Alto firewalls can identify and prevent in progressing phishing attacks by controlling websites where users submit corporate credentials based on the sites URL category.

This allows access to be controlled to phishing websites blocking users from submitting their credentials to untrusted websites, but allowing users to submit their credentials to corporate and authorised websites.

Before configuring, the administrator should devide what method they want to use for the firewall checking the credentials submitted to webpages are valid. Each method requires the configuration of User-ID technology.

Use IP User Mapping / Use Group Mapping

These two technologies check for submission of a valid username only. The firewall blocks or allows, based on the settings, the submission of the username with any password submitted. Essentially it checks for the username only but does not regard the password.

Use Domain Credential Filter

This method checks for valid passwords submitted to a webpage.

IP User Mapping – The firewall uses IP address to user mapping that the PAN-OS integrated User-ID collects to check if a username submitted to a webpage matches the username of a logged-in user

Group Mapping: The firewall agent collects group mapping information from a directory server and retrieves a list of groups and group members. It compares usernames from these groups to usernames submitted to a webpage.

Domain Credential Filter

The Windows Based User-ID agent is installed on a read only domain controller, or RODC. The user ID agent collects password hashes that correspond to users for which credential detection is to be enabled for. The firewall checks if the source IP address matches to a username and password submitted to a webpage belongs to that username. In this mode the firewall can block or alert on the submission only when the password entered matches a user password.

HTTP Header Insertion and Modification

Software as a service, or SaaS are prone to data exfiltration through consumer version so the application. Firewalls can now perform HTTP herader insertion as a way to enable access to the enterprise version whilst blocking access to a consumer version of software. HTTP header insertion occurs when an identified header is missing from a request. If the header exists, it is overwrriten with the value that the administrator has defined.

HTTP header insertion can be based on several pre-defined types. These are: Dropbox, Google, Office 365 and YouTube. If the administrator wishes to perform HTTP header insertion for an application that is not predefined, the administrator can create a custom HTTP header type. It can also be created to modify standard HTTP headers.

Handling Unknown URLs

A URL matched to the unknown category means it has not yet been catagorised, so does not yet exist in the filtering database on the firewall or in the URL cloud database. Although the action may initially be set to alert for unknown websites, good practice would be considering to block access to unknown websites, and only allow access to permitted categories of websites

Handling Not-Resolved URLs

A URL matched to a not resolve category was not found in the URL filtering database, and the firewall was unable to connect to the cloud to check the category. Configuration of the block action for not-resolved may be disruptive to end users. You could configure it to be alert, so that users are not blocked by the policy but log entries are generated to alert an administrator that URLs are not being resolved to URL categories.

To verify Pan-DB cloud status, the following CLI command can be entered, it should show connected:

show url-cloud status

A symptom of the problem is due to a lack of CPU resources, the system resources widget on the dashboard could confirm this.

Leave a Reply

Your email address will not be published. Required fields are marked *